Outrunning the Regulators

The password to your bank account is about to be invalidated,” reads the e-mail. “To prevent this, please click on the following link and enter all your security information.”

The hapless individual who follows instructions, of course, risks giving away access to one or more bank accounts to cyberthieves. And as such devious practices become more sophisticated, regulators tend to get nervous. In fact, that anxiety has led the Federal Financial Institutions Examination Council (FFIEC) to add another layer of rules to those governing the banking industry, already among the most regulated business sectors in the United States. Under the new requirements drafted by the FFIEC, which was created in 1979 to establish uniform principles in federal bodies’ oversight of the industry, financial institutions must put more stringent controls on their electronic security by the end of 2006. Specifically, they must examine the ways in which they communicate electronically with customers, whether those interactions are on Web sites or interactive phone systems; they must determine what security threats exist on those systems, establish a process for assessing future risk, and formally educate their customers about security risks.

Banks don’t have much more time to meet the FFIEC’s demands and, unfortunately, many will make the minimum effort necessary to comply with the requirements, sigh in relief, and consider the task finished — thus leaving themselves unprepared for the FFIEC’s next set of guidelines.

This attitude does not just open the door to future noncompliance. It sets in place a debilitating cycle of increasing vulnerability. Given the constantly evolving state of security in financial services, banks that take a desultory approach to security are positioning themselves as the weakest members of the herd, and thus the most vulnerable to sophisticated “phishing” and “pharming” schemes, in which attackers gain access to customers’ accounts and personal data through e-mail fraud or Web traffic redirection. The FBI estimates that every incident of a Trojan virus attack costs banks at least $38,000 in revenue loss and employee hours — and that figure doesn’t take into account the harm to a company’s reputation and loss of customer confidence, which can be more damaging than the actual attack.

Companies in heavily regulated industries, a group that includes pharmaceuticals, health care, and utilities, often act as though the regulations that besiege them are irritating trivialities. However, new requirements can offer companies an opportunity to escape the cycle. For instance, instead of maintaining an ad hoc approach to foiling invasions and complying with regulations, banks should craft an overall public-facing security strategy. Although it can be difficult to persuade senior management to invest in long-range plans, there’s no better time to do it than when they are in the shadow of an imminent regulatory deadline — especially one that is disrupting the entire organization as the company marshals its resources to deal with it.

For example, in aiming to go beyond regulatory compliance and achieve security excellence, banks can institute a mechanism for self-analysis and self-improvement that allows them to anticipate their future security needs. In doing so, they will meet their current burden of compliance, lessen the impact of any future regulatory guidance, reduce their risk exposure, and address customers’ concerns about the security of online banking.

Instituting such a robust risk-mitigation program involves three elements. The first is to determine the most appropriate technical solution, which can be the biggest hurdle for many companies: They may not know how many Web sites they operate, security across the systems may be inconsistent, and key applications and services may reside on poorly secured systems. Therefore, banks, for example, should assess their current level of risk exposure and determine risk-mitigation strategies that will balance compliance, business objectives, and customer satisfaction. In implementing technical solutions, banks must avoid overly complex approaches, which may have higher-than-expected direct and indirect costs.

Articles published in strategy+business do not necessarily represent the views of PwC Strategy& Inc. or any other member firm of the PwC network. Reviews and mentions of publications, products, or services do not constitute endorsement or recommendation for purchase.